To build on Derek's response ... we do target the web developer with a clue. I think Andrew thinks we should aim lower - as folks working on "website in a box" type solutions typically do.
I'd say it's also the case that when someone without a clue builds a website, it's likely to attract little attention and in practice the chance of someone using a packet sniffer to grab a password in the clear, log in, and do Something Terrible to such a website are ... very low.
Not that this is an excuse for not using SSL.
But I think Andrew's raising a non-issue here.
